A Security Advisory has been raised for IMPatienT v1.5.0 (CVE-2023-23637):
Description:
IMPatienT v1.5.0 allows Stored Cross-Site Scripting (XSS) via onmouseover in certain text fields within a PATCH /modify_onto request.
This may allow attackers to steal Protected Health Information (PHI).
Suggested Fix:
Consider sanitizing user input parameters by removing all non-compliant characters. Additionally, you could consider encoding the user input using HTML or URL methods.
The JSON sanitization is done on server side. You can still XSS yourself while editing but once you press "save tree" it will be sanitzed before being updated. So other users will never have it.
Feel free to re-open if there is still something wrong !
EDIT:
For more details related to your example, once saved Keyword Image Annotation 2<a onmouseover=alert('XSS')>XSS</a>
becomes: Keyword Image Annotation 2<a>XSS</a>
A Security Advisory has been raised for IMPatienT v1.5.0 (CVE-2023-23637):
Description:
IMPatienT v1.5.0 allows Stored Cross-Site Scripting (XSS) via onmouseover in certain text fields within a PATCH /modify_onto request.
This may allow attackers to steal Protected Health Information (PHI).
Suggested Fix:
Consider sanitizing user input parameters by removing all non-compliant characters. Additionally, you could consider encoding the user input using HTML or URL methods.
Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-23637
https://nvd.nist.gov/vuln/detail/CVE-2023-23637
https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)
Payload:
The text was updated successfully, but these errors were encountered: